On Tue, Apr 28, 2009 at 1:16 AM, Robert <rob...@openbsd.pap.st> wrote:
> On Mon, 27 Apr 2009 23:20:07 +0200 > Felipe Alfaro Solana <felipe.alf...@gmail.com> wrote: > > > And again, I think you mean that running a bridge under OpenBSD is > > perhaps not the fastest or brightest solution. And I trust you, But > > again, I have yet to hear a single technical argument on why running, > > for example, Snort inline on other platforms is a bad idea and makes > > one stupid. > > (Looks like we aren't out of trollfood, yet. ;) Are you calling me a troll? :) > You want an example why it is bad to put sensors inline? > One word: Downtime. The same holds true for a firewall. If you have a firewall between your DMZ and your internal network and it goes down, unless you are using a HA solution (like one using CARP), then you are screwed anyways. > If your bridge breakes the network, you can be happy if the insurance > covers it the first time it happens. > Contracts and lawyers will get involved and that isn't fun. > And even if you don't end up having to pay anything, the hair and years > of life expectancy lost isn't worse it. > > Why risk it, when a tap is so much better? A tap is not a firewall. You can't use the tap to filter traffic you don't want. > > (Exeptions proof the rule of sumthin :) > > - Robert > -- http://www.felipe-alfaro.org/blog/disclaimer/
